API Key Protection

Managing the keys and secrets used by your apps to access multiple 3rd party APIs is a challenging problem. A
common approach is to centralize keys on a proxy server and route all app traffic through it. Approov provides the vital
App Legitimacy capabilities necessary to enable this solution effectively.

API Keys are Vulnerable

Useful apps are dependent on the data and services provided by multiple APIs from a range of vendors. A typical enterprise
app will make use of both internal and 3rd party APIs each with its own approach to access management and
associated charges.

Most APIs require apps to present some sort of valid API key with each request to allow access.
Failing to protect this key from misuse can have a number of consequences:

Paying for someone else's access to a pay-per-call API.

Key revocation due to use outside of terms of service.

Rate Limiting due to overuse.

The API keys used by your apps can fall into the wrong hands in a number of ways. They can
simply be extracted from from the distribution package and redeployed in scripts, and it is not uncommon for keys to be
accidentally uploaded by developers to public code sharing sites with GitHub and BitBucket.

Protect API Keys with Approov

To address both the security and management issues around keeping API keys safe, a common
solution is to centralize use of keys into a single proxy server.

Introducing a proxy server for all API requests across your apps can simplify deployment significantly. All API calls from
all apps are directed to the proxy server instead of going directly to 3rd party (and internal) APIs. The proxy
service looks up the relevant API key and adds it to the request with the appropriate headers before forwarding it onto
the required API.

By removing API keys from the app you make it impossible for attackers to reverse engineer the
secrets. This is far more effective than using code obfuscation or app hardening techniques. Server side assets are easier
to control and manage. For heightened security keys can be encrypted at rest or even stored in a hardware security module.

Development is also simplified with the use of a unified API proxy. App developers, including 3rd parties and
contractors, no longer need access to API keys directly, removing issues around security as well as key renewal and revocation.
Where only a subset of a 3rd party API is used, a simplified version of the API can be presented to developers,
reducing app complexity and increasing API security.

The only weakness in this strategy is that you still need to protect the API of your proxy
server. Since the issue is protecting API keys by not deploying them in an app, it does not make sense to use a
traditional API key to try and achieve this.

Instead, Approov is deployed in the client side app. This avoids all of the issues
surrounding securing static API keys while providing your proxy server with a high reliability method of identifying
requests from authorized apps, thus enabling a complete solution for API key protection.